CIO

​NIST: SMS two-factor is dead! If you're a US agency

Any service provider to the US government that relies on SMS for two-factor authentication may need to swap the method for something with fewer design weaknesses.

Despite known weaknesses in using SMS for multi-step authentication systems, it remains widely used in consumer applications because receiving a one-time code in an SMS is easier for people to understand than using a one-time code generator or the increasingly popular push notifications from a secure app.

But the ‘SMS is simple’ argument soon won’t cut it for authenticated access to applications provided by US government agencies, according to a new Digital Authentication Guideline from the US National Institute for Standards and Technology (NIST).

Anyone responsible for implementing new systems should use an alternative to SMS messages for authentication since text messages over public mobile networks can be “intercepted or redirected”, NIST noted.


NIST does set national guidelines for a range of technologies that are used outside of the government, however this particular document — SP 800-63B Authentication & Lifecycle Management — is one of three chapters to the general Digital Authentication Guideline, which is aimed at government agencies and says nothing of SMS as an authentication method in consumer services as it appears to have been taken.


“The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, authenticators, management processes, authentication protocols and related assertions,” NIST notes in the lead document’s abstract.
In other words, the guidance would apply to companies like Google or Apple in as far as services they provide that may be used to connect with government IT systems, but not for authenticated access to either firm’s consumer services, such as Google’s Gmail or Apple’s iTunes.

The recommendations on SMS fall within NIST’s guidance on “out of band” authentication. Nonetheless, NIST’s withdrawal of support for SMS for government apps is a sign of the times, given that anyone interacting with government IT systems is likely to be doing so via a mobile device — one that may be compromised by malware that intercepts SMS messages. Numerous examples of Android malware that targets SMS-delivered one-time passwords have been reported.

To combat phone number spoofing, the NIST also outlines that if SMS is used as an out of band verification on a public mobile telephone network, “the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.”


A more secure method for delivering one-time passwords is via push notifications through a secure app. NIST says that government agencies “may” send a push notification to a device for out of band authentication, however the verifier “shall not” store the key itself but rather using a has function to ensure the key is unique to the device.